Quantification of security events using behavioral, analytical, and threat intelligence attributes
Abstract
A system for testing a security object is disclosed. The system comprises processors and memory storing a plurality of security engines and instructions that, when executed by the processors, causes the system to: access a decision tree comprising a first node and a plurality of second nodes; link a first leaf node of the decision tree with a first security engine; link a second leaf node of the decision tree with a second security engine; receive a security object comprising a digital asset that is attackable using one or more attack execution operations; and test the security object using the decision tree to determine a security threat parameter for the security object. The security threat parameter may be used to prioritize one or more remediation steps for mitigating against the one or more attack execution operations associated with the digital asset.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A system comprising:
one or more hardware computing system processors; and memory storing a plurality of security-related operations and instructions that, when executed by the one or more hardware computing system processors, cause the system to:
access a decision tree comprising a plurality of nodes comprising a first node and a second node,
link the first node comprised in the plurality of nodes comprised in the decision tree with a first security-related operation comprised in the plurality of security-related operations,
link the second node comprised in the plurality of nodes comprised in the decision tree with a second security-related operation or the first security-related operation comprised in the plurality of security-related operations,
receive a security object comprising a digital or electronic asset that is attackable using one or more attack execution operations, wherein the security object comprises at least one of:
a file hash,
a file registry,
a first mutually exclusive flag object comprising one or more of:
a mechanism serializing access to a resource, or
an object managing how the resource is shared among a multiple program thread, or
an indicator of compromise, and
test the security object using the decision tree to determine a security parameter associated with the security object;
wherein the security parameter is used to establish one or more remediation steps associated with the one or more attack execution operations associated with the digital or electronic asset; and
wherein the test the security object using the decision tree to determine the security parameter associated with the security object comprises:
determine, using the first security-related operation or the second security-related operation, one or more threat attribute data associated with the security object, the one or more threat attribute data comprising at least one of: a first threat attribute, a second threat attribute, a third threat attribute, or a fourth threat attribute, and
determine, using the first security-related operation or the second security-related operation, the security parameter associated with the security object.
2 . The system of claim 1 , wherein the digital or electronic asset or the security object comprises one or more of:
a file, a network internet protocol, a universal resource locator, a domain name, or a domain object.
3 . The system of claim 1 , further caused to:
classify a malware sample associated with the security object into a threat category, or categorize the malware sample associated with the security object into a malware family based on a textual pattern or a binary pattern associated with the security object.
4 . The system of claim 1 , wherein the determine, using the first security-related operation or the second security-related operation, the security parameter associated with the security object comprises one or more of:
generate a first risk parameter using the first security-related operation or the second security-related operation, generate a second risk parameter using the first security-related operation or the second security-related operation, or designate at least one of:
the first risk parameter in response to the first risk parameter being greater in magnitude than the second risk parameter, or
the second risk parameter in response to the second risk parameter being greater in the magnitude than the first risk parameter.
5 . The system of claim 1 , wherein at least one of:
the first threat attribute comprises threat actor data associated with an attacker associated with the one or more attack execution operations, the second threat attribute comprises malware data associated with the one or more attack execution operations, the third threat attribute comprises security data associated with a security tool for executing the one or more attack execution operations, or the fourth threat attribute comprises user data associated with executing the one or more attack execution operations.
6 . The system of claim 1 , wherein the one or more threat attribute data further comprises one or more of:
a fifth threat attribute comprising location data associated with the one or more attack execution operations, a sixth threat attribute comprising operating system data associated with executing the one or more attack execution operations, a seventh threat attribute comprising application data associated with access information associated with executing the one or more attack execution operations, an eighth threat attribute comprising sub-operation data associated with executing at least one sub-attack execution operation associated with the one or more attack execution operations, or a ninth threat attribute comprising remediation data associated with mitigating against the one or more attack execution operations.
7 . The system of claim 1 , wherein at least the first node is connected to one or more second nodes comprised in the plurality of nodes, the one or more second nodes being linked with a third security-related operation, the third security-related operation being configured to execute a first security test on the security object subsequent or prior to executing a second security test using the first security-related operation or the second security-related operation.
8 . The system of claim 1 , wherein the test the security object using the decision tree to determine the security parameter associated with the security object comprises one or more of:
determine a malware category associated with the security object based on a quantitative or qualitative reputation parameter associated with the security object, test the security object for the one or more threat attribute data, test the security object based on network threat data, test the security object based on network data, test the security object based on threat intelligence data, test the security object based on intelligence data, test the security object based on network intelligence data, test the security object based on first vulnerability management data associated with the security object, test the security object based on second vulnerability management data, test the security object based on first policy compliance data associated with the security object, test the security object based on second policy compliance data, test the security object based on first file integrity data correlated to a first monitored security event associated with the security object, test the security object based on second file integrity data, or test the security object based on a second security event.
9 . The system of claim 1 , wherein the test the security object using the decision tree to determine the security parameter associated with the security object comprises one or more of:
determine whether the security object is associated with one or more of: a process object, a second mutually exclusive flag object, or a network object, or determine whether the security object indicates or is associated with an activity associated with a security event comprised in or associated with the one or more attack execution operations.
10 . The system of claim 1 , wherein the decision tree is structured based on one or more of:
first network threat data derived from a threat-actor behavior, second network threat data associated with a security report, or third network threat data derived from the one or more threat attribute data.
11 . The system of claim 1 , wherein the test the security object using the decision tree to determine the security parameter associated with the security object further comprises one or more of:
determine, using the first security-related operation or the second security-related operation, whether the security object is associated with a blacklist of security objects, the blacklist of security objects comprising one or more attack objects that are denied access, or classify, using the first security-related operation or the second security-related operation, a malware sample associated with the security object.
12 . A method comprising:
accessing, using one or more hardware computing device processors, a decision tree comprising a plurality of nodes comprising a first node and a second node; linking, using the one or more hardware computing device processors, the first node comprised in the plurality of nodes comprised in the decision tree with a first security-related operation comprised in a plurality of security-related operations; linking, using the one or more hardware computing device processors, the second node comprised in the plurality of nodes comprised in the decision tree with a second security-related operation or the first security-related operation comprised in the plurality of security-related operations; receiving, using the one or more hardware computing device processors, a security object comprising or associated with a digital or electronic asset that is attackable using one or more attack execution operations, wherein the security object comprises at least one of:
a file hash,
a file registry,
a first mutually exclusive flag object comprising one or more of:
a mechanism serializing access to a resource, or
an object managing how the resource is shared among a multiple program thread, or
an indicator of compromise; and
testing, using the or more hardware computing device processors, the security object using the decision tree to determine a security parameter associated with the security object, wherein the security parameter is used to establish one or more remediation steps associated with the one or more attack execution operations associated with the digital or electronic asset, and wherein the testing, using the or more hardware computing device processors, the security object using the decision tree to determine the security parameter associated with the security object comprises:
determining, using the first security-related operation or the second security-related operation, one or more threat attribute data associated with the security object, the one or more threat attribute data comprising at least one of: a first threat attribute, a second threat attribute, a third threat attribute, or a fourth threat attribute, or
determining, using the first security-related operation or the second security-related operation, the security parameter associated with the security object.
13 . The method of claim 12 , wherein the digital or electronic asset or the security object comprises one or more of:
a file, a network internet protocol, a universal resource locator, a domain name, or a domain object.
14 . The method of claim 12 , wherein at least one of:
the first threat attribute comprises threat actor data associated with an attacker associated with the one or more attack execution operations, the second threat attribute comprises malware data associated with the one or more attack execution operations, the third threat attribute comprises security data associated with a security tool for executing the one or more attack execution operations, or the fourth threat attribute comprises user data associated with executing the one or more attack execution operations.
15 . The method of claim 12 , wherein at least the first node is connected to one or more second nodes comprised in the plurality of nodes, the one or more second nodes being linked with a third security-related operation, the third security-related operation being configured to execute a first security test on the security object subsequent or prior to executing a second security test using the first security-related operation or the second security-related operation.
16 . The method of claim 12 , wherein the testing, using the one or more hardware computing device processors, the security object using the decision tree to determine the security parameter associated with the security object comprises one or more of:
determining a malware category associated with the security object based on a quantitative or qualitative reputation parameter associated with the security object, testing the security object for the one or more threat attribute data, testing the security object based on network threat data, testing the security object based on network data, testing the security object based on threat intelligence data, testing the security object based on intelligence data, testing the security object based on network intelligence data, testing the security object based on first vulnerability management data associated with the security object, testing the security object based on second vulnerability management data, testing the security object based on first policy compliance data associated with the security object, testing the security object based on second policy compliance data, testing the security object based on first file integrity data correlated to a first monitored security event associated with the security object, testing the security object based on second file integrity data, or testing the security object based on a second security event.
17 . The method of claim 12 , wherein the testing, using the one or more hardware computing device processors, the security object using the decision tree to determine the security parameter associated with the security object comprises one or more of:
determining whether the security object is associated with one or more of: a process object, a second mutually exclusive flag object, or a network object, or determining whether the security object indicates or is associated with an activity associated with a security event comprised in or associated with the one or more attack execution operations.
18 . The method of claim 12 , wherein the testing, using the or more hardware computing device processors, the security object using the decision tree to determine the security parameter associated with the security object further comprises one or more of:
determining, using the first the first security-related operation or the second security-related operation, whether the security object is associated with a blacklist of security objects, the blacklist of security objects comprising one or more attack objects that are denied access, or classifying, using the first security-related operation or the second security-related operation, a malware sample associated with the security object.
19 . A system comprising:
one or more hardware computing system processors; and memory storing a plurality of security-related operations and instructions that, when executed by the one or more hardware computing system processors, causes the system to:
access a decision tree comprising a plurality of nodes comprising a first node and a second node,
link the first node comprised in the plurality of nodes comprised in the decision tree with a first security-related operation comprised in the plurality of security-related operations,
link the second node comprised in the plurality of nodes comprised in the decision tree with a second security-related operation or the first security-related operation comprised in the plurality of security-related operations,
receive a security object comprising a digital or electronic asset that is attackable using one or more attack execution operations, wherein the security object comprises at least one of:
a file hash,
a file registry,
a mutually exclusive flag object comprising one or more of:
a mechanism serializing access to a resource, or
an object managing how the resource is shared among a multiple program thread, or
an indicator of compromise, and
test the security object using the decision tree to determine a security parameter associated with the security object;
wherein the security parameter is used to establish one or more steps associated with the one or more attack execution operations associated with the digital or electronic asset; and
wherein the test the security object using the decision tree to determine the security parameter associated with the security object, comprises:
determine, using the first security-related operation or the second security-related operation, one or more threat attribute data associated with the security object, the one or more threat attribute data comprising at least one of: a first threat attribute, a second threat attribute, a third threat attribute, or a fourth threat attribute, and
determine, using the first security-related operation or the second security-related operation, the security parameter associated with the security object.
20 . The system of claim 19 , wherein the system is comprised in or comprises one or more computing devices.Join the waitlist — get patent alerts
Track US2025378179A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.